LANGuardian 14.5

NetFort is delighted to announce the availability of our latest LANGuardian release, V14.5.

“One of our objectives is to ensure that our customers always have ‘eyes on their traffic,’ including their data centers, hybrid and public cloud,” said John Brosnan, CEO.

LANGuardian 14.5 includes:

AWS flow log support.

PCAP (packet capture) import and export options.

Passive username capture from RADIUS traffic.

Migration to Suricata IDS.

AWS Flow Log Support

Amazon AWS VPC Flow Logs can now be processed by LANGuardian and generate similar metadata to NetFlow. The VPC Flow Logs are merged into sessions, GeoLocation information is then added and saved into the NetFort database. Read more about it here.

Username Extraction from RADIUS Traffic

RADIUS stands for Remote Authentication Dial In User Service. Typically, a user login consists of a query (Access-Request) from the NAS to the RADIUS server and a corresponding response (Access-Accept or Access-Reject) from the server. The Access-Request packet contains the username, encrypted password, NAS IP address, and port.

Our latest release includes a decoder for RADIUS traffic so user names can be captured directly from network traffic and stored within database tables on LANGuardian. You can then use this information to associate network and application activity with usernames. Read more in this blog post which looks at passive capture of usernames from RADIUS traffic.

PCAP Import & Export

LANGuardian 14.5 has a single page for the import and export of PCAP (packet capture) files. You can now extract network packets with or without filters by using the PCAP File Management page. Read more in this blog.

Migration to Suricata IDS

LANGuardian 14.5 now uses Suricata, which is a modern multi-threaded, high performance IDS. Suricata inspects network traffic by using a powerful, extensive rules and signature language. It also has strong Lua scripting support to detect complex threats.

What is RYUK Ransomware?

An advisory from the US based Department of Health and Human Services notes that attacks involving RYUK appear to be targeted. In fact, its encryption scheme is intentionally built for small-scale operations, so that only crucial assets and resources are infected in each targeted network by a manual distribution from the attackers.

Search engines such as the Shodan allow cyber criminals to find networks where Remote Desktop Protocol, or RDP for short is open. A tool such as NLBrute can then be used to try a whole range of RDP passwords. Make sure you are constantly checking inbound traffic on your network for any suspicious activity.

Targeted companies are selected one at a time, either via spear-phishing emails or Internet-exposed, poorly secured RDP connections. RDP allows remote use, even of fully-graphical applications that can’t be scripted or operated via a command prompt.

RYUK uses an AES-RSA combo encryption that’s usually undecryptable, unless the RYUK team made mistakes in its implementation. The encryption method that RYUK uses is more or less identical to that of the Hermes malware.

Previous versions of the Hermes ransomware have been an on-and-off threat that surfaces at random intervals with a mass spam campaign. The new RYUK ransomware strain appears to be a new attempt from the Lazarus Group at developing a SamSam-like strain to use in precise surgical strikes against selected organizations

Monitoring File Activity on Your Network

You need to be monitoring file and folder activity before you can detect active Ransomware, like RYUK, on your network. One of the easiest ways to do this is to monitor network traffic going to and from your network file servers. Most managed switches support SPAN or mirror ports and these allow you to get a copy of the network packets going to and from your file servers.

Once you have your data source in place, you can use a tool like our own LANGuardian to extract file and folder metadata from the network packets. Metadata includes information such as filenames, actions and usernames.

As well as monitoring traffic associated with your file servers, we also recommend that you monitor all traffic at your network perimeter (just inside your firewall). Ransomware needs to communicate with the outside world, so having visibility at the network edge is important when it comes to detecting and alerting on Ransomware like RYUK.

The image below shows some of the things that you should watch out for when it comes to RYUK Ransomware.

1. Watch out for an increase in file renames.

File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Ransomware like RYUK strikes, it will result in a massive increase in file renames as your data gets encrypted.

You can use this behavior to trigger an alert. If the number of renames exceed a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on 4 or more renames per second.

Use LANGuardian’s Search by File/Folder Name report to filter any file with the .RYK extension.

3. Check network shares for ransom notes

When files are encrypted on your network by RYUK Ransomware it will leave a ransom note in the format of a text file. The ransom message within “RyukReadMe.txt” is from RYUK developers who inform victims that all data has been encrypted using a strong cryptography algorithm. They state that encrypted backups and shadow copies have also been encrypted.

RYUK ransomware developers also state that only they can provide victims with a decryption tool, and no other tools are capable of decryption. In summary, they make it clear that no other party can help with RYUK infected computers. These cyber criminals also warn users that shutting down or restarting a computer might cause damage or data loss. They urge people not to delete or rename the “RyukReadMe.txt” text files.

RYUK developers offer free decryption of two files to prove decryption is possible and in an attempt to give the impression that they can be trusted. To decrypt the remaining data, users must contact them. However, it is recommended that you do not contact the RYUK developers under any circumstances.

Instead, use LANGuardian’s Search by File/Folder Name report to filter any file with the name RyukReadMe.txt

If you have any questions about how to detect RYUK Ransomware or other variants on your network, do not hesitate to contact us and speak with one of our helpful technical support team.

What is RADIUS?

RADIUS stands for Remote Authentication Dial In User Service. A RADIUS server can support a variety of methods to authenticate a user. When it is provided with the username and original password, given by the user, it can support PPP, PAP or CHAP, UNIX login, and other authentication mechanisms.

Typically, a user login consists of a query (Access-Request) from the NAS to the RADIUS server and a corresponding response (Access-Accept or Access-Reject) from the server. The Access-Request packet contains the username, encrypted password, NAS IP address, and port.

Why the need to capture username from RADIUS traffic?

Many of our customers who provide wireless access on their networks use RADIUS to authenticate users. Active Directory is often used to authenticate wired devices or devices which can be managed and added to the Active Directory domain. However, if you allow unmanaged devices onto your network, like you would in a University, RADIUS is a better choice for user authentication.

A few years ago, we added Active Directory integration to our LANGuardian product as customers wanted to associate network activity to usernames rather than IP addresses. We implemented this by collecting user logon events from domain controllers and storing them locally on LANGuardian where they could be cross referenced by running a report.

Initially, RADIUS integration seemed to be more complicated. As you can deploy the system on different platforms, you never have a standard source of user logon events. However, a customer of ours, an Information Security Manager at a Scottish university, suggested a new way to capture usernames during an onsite meeting. He said that it may be possible to capture usernames directly from network traffic.

They had large wireless networks and wanted usernames so they could save time troubleshooting operations and security issues. Their LANGuardian instance was highlighting user and application issues, but the source was always an IP address. They then had to spend more time working out what user was responsible by manually checking logs.

We took a sample PCAP from their network and used it to build a passive RADIUS username capture module. The image below shows how usernames can be seen within RADIUS.

Passive capture of usernames from RADIUS traffic using LANGuardian

LANGuardian captures traffic from both a SPAN port and other traffic sources. It then uses deep packet inspection techniques to consolidate and correlate the data gathered by the traffic collection engine. In essence, we have a series of application decoders for popular applications like SMB, SQL, Web, and Email. Our latest release includes a decoder for RADIUS traffic.

The image below shows the basics of how our RADIUS traffic decoder works. Firstly, we receive network packets (1) from a SPAN mirror port or TAP (2). The LANGuardian content based recognition engine (CBAR) then detects the CBAR protocol (3) and sends the data to the RADIUS traffic decoder. This decoder extracts relevant metatdata (4) like username, IP address and time/date of logon.

Once you capture usernames with LANGuardian, you can use this data with any LANGuardian report. The first example below shows how you can monitor network traffic to find out who is doing what on the Internet. Click on the image to view the report on our online demo.

In the next example, we show how you can generate an audit trail of file and folder activity (SMB and NFS) with usernames. This can also be used to root out security issues such as SMBv1 use on a network. Click on the image to view the report on our online demo.

If you have any questions about how to analyse RADIUS traffic on your network and extract usernames, or would like to know more about how our network traffic monitoring tool can meet your organization´s requirements, do not hesitate to contact us and speak with one of our helpful technical support team.

In both cases hosts located outside your network try to connect to devices hosted inside your LAN or cloud environments. The printer exploit is an unusual one. It’s main purpose is to deliver PewDiePie propaganda around the world. PewDiePie is currently the most subscribed to channel on YouTube. Recently it has been in a battle for this position with an Indian company called T-Series.

Over the last couple of days, Twitter users have been posting screenshots of unsolicited printouts from internet-connected printers that say that PewDiePie needs their help. A Twitter user called TheHackerGiraffe has claimed responsibility but had claimed they did this to raise awareness of printers and printer security.

The second inbound exploit attempt has a more sinister background. A cybercriminal group has managed to steal a total of 38,642 Ethereum, worth more than $20,500,000, from clients exposing the unsecured interface on port 8545. The process behind this is simple. External clients scan your network on port 8545, looking for geth clients and stealing their cryptocurrency. Geth is a multipurpose command line tool that runs a full Ethereum node implemented in Go.

How to monitor inbound traffic on your LAN

One quick check you can do to check for port 9100 or 8545 activity is to check if the ports are open on your firewall. While this is not an indication of activity you should consider shutting them down for all external clients.

A better approach is to monitor network traffic going to and from the Internet using a SPAN, mirror port or network TAP. Once a traffic source is established you can use a product like our own LANGuardian to report on what ports and applications are been used.

The image below shows an example of what to look out for. In this case we can see evidence of SMB activity. Ports like 9100 or SMB which uses 445 should not be open for unknown clients. Click on the image below to access this report on our online demo.

In the next example we are looking at what ports are accepting connections from external clients. Again we can see the activity on TCP port 445. Looking though the results, I also need to check the activity on port 49158. Click on this image to access the report on our online demo.

In order to check your firewall configuration and get visibility of traffic at an application level allowed in through your firewall, simply deploy a traffic analysis system such as LANGuardian and configure the sensor SPAN or mirror port correctly.

You can easily use a SPAN port for example to monitor traffic from your internal network to and from the firewall. A very useful and simple validation of those firewall rules sometimes configured by an external consultant. The video below goes through what is needed to get network traffic analysis in place at your network edge together with the steps to get LANGuardian in place monitoring this traffic.

How to monitor inbound traffic in the cloud

When an infosec alert like the ones mentioned above goes out, the oblivious thing to do is check your on premise data centers for suspicious activity. This is certainly a good starting point. However, don’t forget about your cloud based networks. They may be targeted even more than your on premise networks. Getting visibility in the cloud is not as straightforward as with a more traditional on premise network.

Recently we announced support for AWS VPC Flow Log Analysis and we will also have an option for Azure monitoring shortly. I took a look at reports associated with our AWS estate and sure enough there is evidence of inbound activity on port 9100, see image below. In our case this was blocked. I observed similar activity for inbound connections on 8545.

If you have any questions about how to monitor traffic on your network using LANGuardian, or would like to know more about how our network traffic monitoring tool can meet your organization´s requirements, do not hesitate to contact us and speak with one of our helpful technical support team.

What our customers want to extract from PCAP files

In my previous blog post on the topic of PCAP file management, I looked at how you can import and export PCAP files from LANGuardian. Since then we had a number of queries come in from customers and website visitors. One in particular caught my eye. It came from a network engineer who had very specific requirements. They have a large PCAP repository and they need a tool to process these files and provide reporting on:

Identify all the unique IP addresses involved in the PCAP, sources and destinations

Identify the “big talkers” which IP’s account for sending and receiving the most traffic. ideally a list of IP’s, packets sent, and the number of packets received WITH the ability to sort by # of packets sent or received (that would show the big talkers)

The types of traffic by protocol

I need to have some ability to utilize an AV engine against the traffic. One way to do this with Wireshark is typically via tcpreplay, you set up a “clean system” with IDS enabled then tcpreplay to it suspect packets and watch it’s alarms/logs.

Why can’t you use Wireshark for analyzing PCAP files?

Wireshark is an excellent tool and I use it a lot myself. The most common features I use are the packet analysis and Follow TCP Stream options. What it is not good at is giving you a top level view, a summary of what went on with drill down capability to get to the detail. Another limitation is the ability to cross reference the data in the packets with threat databases or IDS signatures.

Wireshark doesn’t work well with large network capture files (you can turn all packet coloring rules off to increase performance). Some of the most interesting network data can be sourced from a SPAN or mirror port but these data sources will result in large PCAP files.

Identify all the unique IP addresses involved in the PCAP, sources and destinations

Every packet of data in a PCAP file will contain source and destination IP addresses. A modest sized PCAP could contain thousands of addresses so you need a quick and efficient way to capture these and store them in a database.

Wire data analytics is often referred to the process where metadata such as IP addresses is extracted from PCAP files or directly from the network when you monitor network traffic from a SPAN or mirror port. The image below shows a sample of this network inventory type information which LANGuardian can extract from a PCAP file. Click on the image to access this report in our online demo.

Identify the “big talkers” which IP’s account for sending and receiving the most traffic

Some time ago I spoke to a LANGuardian customer who had just purchased the system for a client. They had found us while searching on the Internet for a tool which would “analyze PCAP files that I had collected from a customer’s network that was struggling with VOIP quality issues and massive bandwidth utilization“.

They also reported that “While I read and understand PCAP files fairly well, when it came time to analyze the date and determine who my top talkers are I was at a loss.” This is one of the big problems with tools like Wireshark, sometimes it can be hard to get that summary information. Who are the top talkers on the network.

Our customer installed LANGuardian and within a short period reports that “The LANGuardian software quickly pointed out several computers that were flooding the network with data and a network switch that was faulty. Our customer mitigated those problems and has had great VOIP quality and lower total bandwidth utilization on their LAN and WAN.”

The image below shows the output of the LANGuardian Top Talkers by Traffic Volume report. If you click on the demo you can access this report on our online demo.

The types of traffic by protocol

Protocol recognition is the art and science of identifying the applications that are in use on a network and understanding the impact of each application in terms of bandwidth usage, user behavior, security, and compliance.

By inspecting the packet content in addition to the header, LANGuardian CBAR can see past the port and address information to identify the application and/or protocol that generated the packet. The image below shows the output of the LANGuardian Applications in Use report which shows the top protocols found in a PCAP file ordered by total bandwidth. Click on the image to access this report on our online demo.

Ability to utilize an AV engine against the traffic

When I read this requirement first I was confused. How could we replay traffic against an antivirus engine. Most antivirus systems run as a service and may check memory, disk, and other data sources for the presence of malware or viruses. I checked back and what they meant was if we could run the contents of the PCAP files past an IDS or threat database.

In the case of LANGuardian, we have both an IDS and traffic analysis module running in parallel. When you import a PCAP file, the contents is sent to each analysis engine where it is checked for signs of suspicious content. You can also write your own IDS signatures to search for specific text strings within the PCAP files. The video below goes through the process of creating a custom IDS signature to check for the presence of a text string.

If you have any questions about how to monitor traffic on your network using LANGuardian, or would like to know more about how our network traffic monitoring tool can meet your organization´s requirements, do not hesitate to contact us and speak with a member from our technical support team.

Working With PCAP Files

PCAP or packet capture files can be extracted from the network by using applications such as Wireshark or exporting them from network devices such as firewalls. They contain one or more network packets which can be used for troubleshooting network or application problems.

While they are useful for troubleshooting a very focused event, they can become difficult to work with if you capture traffic from multiple network devices. You may end up with millions of network packets which can be very time consuming if you try and review each one.

PCAP Features of LANGuardian

Capturing network metadata is an ideal approach when it comes to handling large packet captures. Just capture the human readable bits like IP address or SMB filename and discard the rest of the packet data. This is the approach we have used in our LANGuardian product for many years.

However, when reviewing customer feature requests, we noticed that a few had requested direct access to the traffic on the actual SPAN/mirror port or TAP connected to the LANGuardian. When we asked why the response made perfect sense:

“Sometimes when troubleshooting issues we need to direct access to all the traffic to get to the detail and proof we need. So we usually take a packet capture and analyze it with tools like Wireshark.

Instead of grabbing a laptop, going down to the server room plugging it into the correct location, why not use our LANGuardian sensors? You guys are already connected and have access to the traffic across our network, we would like to use your sensors to take a PCAP very easily when we need to.”

A simple request, took some effort to implement but has been very well received. Even this week for example I was on a call with a prospect who was using our LANGuardian and our GEO IP reports had spotted a machine on his network trying to make a connection to a server in China. He reckoned it was probably a bug in our software and said ‘Let me get my laptop and take a PCAP’. I immediately told him that we can do it immediately using the LANGuardian.

He took the PCAP, we analyzed it, it had the same strange IP address and it verified our LANGuardian reports. Turns out that a well knows security appliance was making the connection request for some reason and he immediately contacted them. Interesting use case which also shows how important it is to have ‘eye on the traffic’ everywhere and have easy access to the traffic.

Extracting PCAP files from LANGuardian

You can extract network packets with or without filters by using the PCAP File Management page. To extract network packets, you must follow these steps:

Choose a network interface to capture packets from. It can be a local interface or an interface on a remote LANGuardian sensor.

The filter field is optional. Common examples would be:

host 10.1.1.100 – which captures all traffic associated with 10.1.1.100

host 10.1.1.100 and port 80 and port 25. Traffic associated with host 10.1.1.100 can be captured on ports 80 and 25.

When it comes to the number of packets, choose a small value like 100 initially. The more packets you capture, the larger the PCAP file.

Choose a file name. Be sure to use the .PCAP extension if you want applications like Wireshark to recognize them.

The video below shows an example of this feature in use:

Importing PCAP files into LANGuardian

PCAP files can be sourced from many applications and systems. The most popular would be standalone applications like Wireshark or extracted directly from firewall appliances. If you capture traffic for an extended period or from a SPAN or mirror port, they can be large and take time to analyze if you go through one packet at a time.

You can import a PCAP file from any source into LANGuardian. Once the file is imported, it is sent to an IDS and traffic analysis application. The steps involved to import and view the data are:

Log onto your LANGuardian instance and click on the gear symbol on the top right. Select PCAPs

Choose the option to Upload PCAP file

Upload your PCAP file and then click on Process

Click on reports and select Applications in Use.This will show what application activity was captured within the PCAP.

From the sensor drop down, select your PCAP sensor and then run the report

You can repeat the process with the Top Network Events report to check for any Malware or suspicious activity within the PCAP

The video above goes through this process. PCAP import section starts at 3:40.

If you have any questions about how to monitor traffic on your network using LANGuardian, or would like to know more about how our network traffic monitoring tool can meet your organization´s requirements, do not hesitate to contact us and speak with a member from our technical support team.

]]>https://www.netfort.com/blog/pcap-file-analysis-and-extraction/feed/0What Traffic Reports To Focus on if You Are Dealing With Google Unusual Traffic Notificationshttps://www.netfort.com/blog/dealing-with-google-unusual-traffic-notifications/
https://www.netfort.com/blog/dealing-with-google-unusual-traffic-notifications/#respondFri, 16 Nov 2018 11:44:40 +0000https://www.netfort.com/?p=11218The post What Traffic Reports To Focus on if You Are Dealing With Google Unusual Traffic Notifications appeared first on NetFort.
]]>

Why does Google sometimes show unusual traffic messages?

Recently I worked with a number of network managers who downloaded our LANGuardian software to try and find the source of malware on their networks. The issue they faced was that clients were been presented with the message “Our systems have detected unusual traffic – possibly Malware from your computer network” when they tried to access Google services.

You then get a reCAPTCHA. To continue using Google, you have to solve the reCAPTCHA. It’s how Google knows you’re a human, not a robot. After you solve the reCAPTCHA, the message will go away and you can use Google again. The image below shows an example of what is displayed.

Google closely monitors what network traffic is directed at their infrastructure. If devices on your network seem to be sending automated traffic to Google, you might see “Our systems have detected unusual traffic from your computer network.” Google considers automated traffic to be:

Software that sends searches to Google to see how a website or webpage ranks on Google

The main reason behind all of this is that Google does not want any automated traffic which is designed to influence search results.

How can I monitor Google traffic on my network?

All Google traffic will flow in and out of your Internet gateways so this is where you need to capture traffic. Use a SPAN or mirror port to capture a copy of traffic going to and from your firewall. Make sure you capture the data inside your network so you can identify what client is sending unusual traffic.

The image below shows a typical setup if you want to detect any unusual traffic on your network. In this we use our LANGuardian traffic analysis tool to monitor traffic coming from a SPAN\Mirror port on our core switch. LANGuardian is deep-packet inspection software that monitors network and user activity. The core switch is configured to send a copy of all traffic going to and from the firewall to the monitoring port which is also known as a SPAN or mirror port.

What traffic reports do I need to look at?

Our LANGuardian product is available as a 30 day trial. This should give you enough time to get to the root of the problem. Once you have the trial installed there are two key reports to focus on. Use the search bar at the top of the LANGuardian GUI to search for these reports:

Top Website Domains with Client IPs (Page Hits)

Top Website Domains with Client IPs

In both cases enter Google into the Website Domain report filter on the left. The first report will show the top clients connecting to Google services based on the number of connections. The second report shows the top clients on your network connecting to Google services based on traffic volumes. Unusual traffic would be seen as a client which is establishing thousands of connections in a short time period like one hour. Unusual traffic volumes can be seen as multiple gigabyte levels to Google search or Google API services.

Click on the image below to access our online demo and see what the reports look like.

If you have any questions about how to monitor traffic on your network using LANGuardian, or would like to know more about how our network traffic monitoring tool can meet your organization´s requirements, do not hesitate to contact us and speak with one of our helpful technical support team.

Monitoring traffic on your network is important if you want to keep it secure and running efficiently. The information obtained by network traffic monitoring tools can be used in multiple security and IT operational use cases to identify security vulnerabilities, troubleshoot network issues and analyze the impact new applications will have on the network. These 5 tips should help you get the most out of your network traffic monitoring application.

1. Choose the right data source

Whatever your motive for monitoring network traffic, you have two main data sources to choose from:

Flow data is great if you are looking for traffic volumes and mapping the journey of a network packet from its origin to its destination. This level of information can help detect unauthorized WAN traffic and utilize network resources and performance. However, flow-based tools for monitoring network traffic lack the detailed data to detect many network security issues or perform true root cause analysis.

Packet data extracted from network packets can help network managers understand how users are implementing/operating applications, track usage on WAN links, and monitor for suspicious malware or other security incidents. Deep packet inspection tools provide 100% visibility over the network by transforming the raw metadata into a readable format and enabling network managers to drill down to the minutest detail.

2. Pick the correct points on the network to monitor

Naturally with agent-based software, you have to install software on each device you want to monitor. This is not only an expensive way of monitoring network traffic but it creates a significant implementation and maintenance overhead for IT teams. Furthermore, if your objective is to monitor activity on a BYOD or publicly-accessible network, agent-based software will not give you the full picture of user activity because it is impractical (and in some states illegal) to monitor activity on users´ personal devices.

Even with agent-free software, a common mistake many people make when deploying tools to monitor network traffic is that they include too many data sources at the start. There is no need to monitor every network point. Instead you need to pick points where data converges. Examples of this would be Internet gateways, Ethernet ports on WAN routers or VLANs associated with critical servers.

If you are new to getting tools in place to monitor network traffic, I would suggest you start by monitoring your Internet gateway(s). This can be an excellent source of security and operational data. This short video below explains how you can do this with Cisco switches – a similar approach can be applied to other switch vendors.

The image below shows a good approach when it comes to network traffic monitoring for most networks. A SPAN or mirror port is configured at the network core which allows for the capture of any traffic passing through. In my example this would allow me to capture traffic going to and from the Internet as well as traffic associated with important servers.

3. Sometimes real-time data is not enough

The ability to monitor network traffic in real-time is sufficient to achieve many objectives of network traffic monitoring, but sometimes real-time data is not enough. Historical traffic metadata is ideal for network forensics and is just as important if you want to analyze past events, identify trends or compare current network activity with the previous week. For these objectives, it is best to use tools for monitoring network traffic with deep packet inspection.

Some tools for monitoring network traffic choose to age data. This means the further back you go historically, the less detail you get. While this can save on disk space, it is not an ideal solution if you are trying to determine how an intruder managed to overcome your defenses to plant malware on the network. Without accurate and complete data relating to the event, you can be left looking for answers that no longer exist.

It is also a good idea to be aware that some SIEM and network traffic monitoring systems base their pricing on the amount of data you want to store. Keep a watchful eye out for this when you are evaluating solutions. Other appliance-based tools are limited based on the specifications of the system you buy, and an upgrade becomes a replacement appliance which can be expensive. The most flexible option is a network traffic monitoring tool that is software-based and allows you to allocate whatever disk space you think is appropriate.

4. Associate the data with usernames

Traditional network traffic monitoring tools usually report on activity using IP or MAC addresses. While this is useful information, it can be problematic in DHCP environments if you are trying to find a problematic device. One piece of information that can bring together network activity and devices is usernames. Username association will let you know who is doing what on the network.

5. Check the flows and packet payloads for suspicious content

Many networks have intrusion detection systems at the edge but very few have this type of technology monitoring internal traffic. All it takes is one rogue mobile or IoT device to compromise a network. Another issue I often see are firewalls allowing suspicious traffic through where a rule was misconfigured.

The image below shows an example of this: someone created a rule to allow traffic inbound on TCP 5901 (VLC remote desktop sharing), but they did not limit it to one source and destination. The source addresses in this case appear to be registered in China and connections from this country would not be expected to connect to this network.

Summary

Not all tools for monitoring network traffic are the same. Generally they can be broken down into two types – flow-based tools and deep packet inspection tools. Within these two types you have the choice of tools that use/don´t use software agents, tools that store/don´t store historical data, and tools with intrusion detection systems that monitor network traffic within the network as well as at the network edge.

Choose flow based analysis tools if you want to get traffic volumes and IP addresses associated with WAN or other layer 3 links

Choose packet analysis tools if you need traffic volumes, IP addresses and more detail to investigate security or operational issues.

If you would like to discuss any of the points raised in this article, do not hesitate to contact us.

Tracking Mobile Devices on Your Network

In this video we look at how you can monitor mobile devices on your network using LANGuardian. LANGuardian is deep-packet inspection software that monitors network, device, and user activity. It uses network traffic as a data source and is typically connected to a SPAN or mirror port at the core of a network.

The video also has a section on how you can choose the best point on your network to monitor traffic associated with mobile devices. A traffic analysis approach does not require the installation of client or agent software on your wireless or mobile devices.

As the video shows, every device (fixed and mobile) and user on a network leaves a traffic trail. This traffic trail contains very useful information and context but due to the large volumes on traffic on network these days and the inherent complexity of traffic, this trail is not easy to read and interpret. Our LANGuardian network traffic analysis engine tries to do the ‘heavy lifting’ extracting the application specific metadata and making it useful and usable for organizations of sizes, even SMEs with limited resources and time.

The screenshot above is a very good example of the useful detail buried deep in normal network traffic. This packet payload shows an iPhone making a HTTP request, our LANGuardian DPI engine looks inside the packets extracting and storing crucial information like the IP address, operating system and device type. Vendor agnostic, always ‘on’, network traffic is a very useful data source on any network. You just have to ‘tap into it’ to get immediate internal visibility of devices, users and activity.

Network Traffic Metadata – Four recent customer use cases

The rising popularity of network traffic metadata is because it’s in the sweet spot between full packet capture like Wireshark and PCAPs on one hand and NetFlow on the other, which lacks detail and drill down. Drill down, granularity, context, and continuous internal visibility are now absolutely critical for organizations of all sizes including SMEs.

Historically, network traffic analysis based technologies (mostly full packet capture) were seen as too complex and expensive for SMEs and only ever seen on Enterprise networks. Application centric metadata has now made internal visibility a reality for all organizations.

Use Case 1: Monitoring Web Activity Over HTTPS

The opening packets of a TLS/HTTPS session are not encrypted and are sent in clear text. However, the NetFort DPI (Deep Packet Inspection) engine has the ability to conduct an IDP (Initial Data Packet) analysis on these clear text packets, extract the SNI (Server Name Indication) field sent by the client, and the certificate that the server presents.

This allows LANGuardian to report on the domain being accessed, the client and server IPs, port numbers, as well at other attributes of the connection such as the protocol used (SSL 1.0, 2.0 or TLS 1.0 1.2 etc), ciphers used or attributes of the server certificate (SHA1 or SHA256 etc). A similar technique works with Google QUIC encrypted UDP protocol.

Click on the image below to see how this report works on our online demo

Use Case 2: Alert on Rogue DNS Servers

LANGuardian includes a DNS metadata decoder which monitors DNS traffic, decodes and logs all DNS replies, and enables the ability to go back and review all resolutions clients are receiving. As a result, it generates an inventory of DNS servers by Geo IP location.

Use Case 3: Contractors’ iPhone Copying Data

Metadata also results in a 400:1 data reduction over full packet capture in a granular but cost-effective data retention, ideal for forensics and investigations. LANGuardian includes a Google like search utility for all user activity retained in the built in database. This information was recently used to investigate the activity of a contractor on an medium enterprise network who had used an iPhone to access and copy internal data.

Use Case 4: Monitor File and Internet Access For a Single User.

LANGuardian’ s network traffic analysis engine also includes decoders for all ‘unstructured data’ activity, including Windows (SMB), UNIX and (NFS) file shares and even MS SQL databases. This results in an inventory of such systems on the internal network and an audit trail of all activity by IP, MAC address and user name.

Using our search facility, it is possible to achieve a consolidated view of all internal and Internet network activity by user name for any time period. It is also possible to configure alerts for certain file activity, including file or folder deletes. No agents or clients required, therefore network metadata is an excellent non-intrusive option for monitoring network user activity.

Visit our live system HERE to see more examples of the unparalleled levels of visibility you can easily achieve on your network by using traffic metadata.